In this part of the lab, you will use the GNS3 network simulator to configure a site-to-site VPN solution.
From the dock at the bottom of the screen, click the Terminal icon to open a new Terminal window.
At the command prompt, type gns3 & and press Enter to open GNS3 in the background. It will take a few minutes for GNS3 to launch. When GNS3 opens, you will be asked to create a project or open an existing project.
In the Project window, click the Projects library tab, then select VPN Basics and click OK. When prompted, click No to ignore the update check.
This topology shows two networks (192.168.1.0/24 and 10.10.10.0/24) behind a firewall connected to an Internet service provider (ISP). This lab will guide you through configuring a site-to-site VPN tunnel on the firewalls so that the 192.168.1.0/24 network and the 10.10.10.0/24 network can reach each other securely over the Internet.
In the topology window, right-click the Site-A firewall device and select Start to power up the firewall, then do the same for the Site-B firewall device.
In the topology window, right-click the Site-A firewall device and select Console to open a TigerVNC console, then do the same for the Site-B firewall device. You must wait for the firewalls to be fully up before continuing. Wait until you see the following menu on both firewalls before continuing with the lab:
Note: The firewall can take up to 3 minutes to fully boot up.
Close both the Site-A and Site-B console windows.
On the GNS3 control bar, click the Start button (the large green arrow) to power on all devices. When prompted, click Yes to continue. In the GNS3 topology window, you will see all connections turn green, indicating the hosts are powered on and connected to the network.
In the topology window, right-click the Browser-A host and select Console to open a VNC console connection to the Browser-A host. As the host's name indicates, the TigerVNC console will launch with a web browser window open. You will use the web browser to connect to the pfSense appliance's web GUI. Although you could interact with the pfSense appliance directly through the command line interface that you saw when you started the device, the web GUI is easier to use for instructional purposes.
In the web browser, click the pfSense - Login bookmark to connect to the pfSense firewall. If prompted with a security warning, click Advanced > Accept the Risk to continue.
On the pfSense login page, click the Sign In button to sign in using the saved credentials.
From the menu bar at the top, click Firewall and select Rules to open the Rules table for the WAN interface.
On the Firewall / Rules / WAN page, note a rule has been added allowing ICMP (ping) from any source IP ( * ) to the WAN address. A similar rule has been added to the Site-B firewall. This rule is not required for a VPN to work, but it is helpful to ensure the remote site is reachable. In production, a rule like this would be disabled after testing.
From the pfSense menu bar, click Diagnostics and select Ping to open the Ping diagnostic tool.
On the Diagnostics / Ping page, type 203.0.113.5 in the Hostname field, then click Ping to ping the external interface of the Site-B firewall. At the bottom of the page, you should see a positive result.
Now that we know Site-B is reachable, let’s configure the Site-A side of the VPN. In our new site-to-site VPN, Site-A will be the initiator, and Site-B will be the receiver. Once we have both sides configured, we will manually start the VPN tunnel on Site-A.
From the pfSense menu bar, click VPN and select IPsec to open the VPN / IPsec / Tunnels page. As we learned in the Core Concepts lesson, IPsec creates two tunnels: one for authentication (IKE Phase 1) and one for encryption (IKE Phase 2). On the pfSense firewall, the first tunnel is referred to as P1 (Phase 1), and the second is P2 (Phase 2).
On the VPN / IPsec / Tunnelspage, click Add P1 to create a new IKE Phase 1 Security Association (SA).
On the VPN / IPsec / Tunnels / Edit Phase 1 page, enter the following details, then click Save at the bottom of the page. Unless told to change a value, accept the defaults. Description: Connection to Site-B Remote Gateway: 203.0.113.5 Pre-Shared Key: cybrary Encryption Algorithm: set the Key Length to 256 bits Child SA Close Action: Restart/Reconnect Note: For the purposes of this lab, we are using pre-shared keys for authentication because pre-shared keys are easier to use than certificates. However, a short key like “cybrary” is not secure. In a production system, you should always use longer and stronger keys (which pfSense can generate for you).
On the VPN / IPsec / Tunnels page, click Apply Changes and wait for the new Phase 1 SA to be activated.
On the VPN / IPsec / Tunnels page, under the newly configured Phase 1 SA, click Show Phase 2 Entries (0), then click Add P2 to create a new IKE Phase 2 Security Association (SA).
On the VPN / IPsec / Tunnels / Edit Phase 2 page, enter the following details, then click Save at the bottom of the page. Unless told to change a value, accept the defaults. Description: Site-B Remote Network: Network10.10.10.0 / 24 Encryption Algorithms: AES192-GCM / Auto only
On the VPN / IPsec / Tunnels page, click Apply Changes and wait for the new Phase 2 SA to be applied.
On the VPN / IPsec / Tunnels page, under the Phase 1 SA, click Show Phase 2 Entries (1). Your P1 and P2 should match the following screenshot:
From the menu bar at the top, click Firewall and select Rules, then select the IPsec tab to open the Rules table for the IPsec interface. Notice that there are no rules allowing traffic over the IPsec tunnel.
Click the Add button to begin adding a new rule. Note: There is an Add with an up arrow and an Add with a down arrow. Because there are currently no rules, you can use either one.
On the Firewall / Rules / Edit page, enter the following details, then click Save at the bottom of the page. Unless told to change a value, accept the defaults. Protocol: Any Source: Network 10.10.10.0 / 24 Destination: LAN net
On the Firewall / Rules / Edit page, click Apply Changes. When done, your new IPsec firewall rule should match the following screenshot:
Note: While this rule would be overly permissive for a production environment, it is a good rule to use during testing. Now, let's configure the other side of the site-to-site VPN.
In the GNS3 topology window, right-click the Browser-B host and select Console to open a VNC console connection to the Browser-B host. As the host's name indicates, the TigerVNC console will launch with a web browser window open. This may take 20-30 seconds.
In the web browser, click the pfSense - Login bookmark to connect to the pfSense firewall. If prompted with a security warning, click Advanced > Accept the Risk to continue.
On the pfSense login page, click the Sign In button to sign in using the saved credentials.
From the pfSense menu bar, click VPN and select IPsec to open the VPN / IPsec / Tunnels page.
On the VPN / IPsec / Tunnels page, click Add P1 to create a new IKE Phase 1 Security Association (SA).
On the VPN / IPsec / Tunnels / Edit Phase 1 page, enter the following details, then click Save at the bottom of the page. Unless told to change a value, accept the defaults. Description: Connection to Site-A Remote Gateway: 198.51.100.3 Pre-Shared Key: cybrary Encryption Algorithm: set the Key Length to 256 bits Life Time: 31680 Child SA Start Action: None (Responder Only) Child SA Close Action: Close connection and clear SA
On the VPN / IPsec / Tunnels page, click Apply Changes and wait for the new Phase 1 SA to be configured.
On the VPN / IPsec / Tunnels page, under the newly configured Phase 1 SA, click Show Phase 2 Entries (0), then click Add P2 to create a new IKE Phase 2 Security Association (SA).
On the VPN / IPsec / Tunnels / Edit Phase 2 page, enter the following details, then click Save at the bottom of the page. Unless told to change a value, accept the defaults. Description: Site-A Remote Network: Network 192.168.1.0 / 24 Encryption Algorithms: AES192-GCM / Auto only Life Time: 5400
On the VPN / IPsec / Tunnels page, click Apply Changes and wait for the new Phase 2 SA to be configured.
On the VPN / IPsec / Tunnels page, under the Phase 1 SA, click Show Phase 2 Entries (1). Your P1 and P2 should match the following screenshot:
From the menu bar at the top, click Firewall and select Rules, then select the IPsec tab to open the Rules table for the IPsec interface.
Click the Add button to begin adding a new rule.
On the Firewall / Rules / Edit page, enter the following details, then click Save at the bottom of the page. Unless told to change a value, accept the defaults. Protocol: Any Source: Network 192.168.1.0 / 24 Destination: LAN net
On the Firewall / Rules / Edit page, click Apply Changes. When done, your new IPsec firewall rule should match the following screenshot:
Restore the TigerVNC console for the Browser-A host.
From the pfSense menu bar, click Status and select IPsec to open the VPN / IPsec / Tunnels page.
On the Status / IPsec / Overview page, click Connect P1 and P2s to activate the VPN tunnel. Take note of the values on this page. You will need them to answer some of the questions on the Tasks tab.
In the GNS3 topology window, right-click Linux-A and select Console. In the terminal window, a new tab will open for the Linux-A host.
On the Linux-A tab, type ping -c 8 10.10.10.10 and press Enter.
Notice you can ping 10.10.10.10 from the 192.168.1.0/24 network as if it were a local resource. The VPN tunnel and the firewall rules have connected the two remote networks! Now let's try it from the other direction.
Open a console to Linux-B and ping the Linux-A host at 192.168.1.10. Congratulations! You've created and tested a site-to-site tunnel using IPsec in tunnel mode. You will have a chance to validate your understanding of this process in the challenge exercise.